BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of - - PowerPoint PPT Presentation

BOTNETS

GRAD SEC

NOV 21 2017

TODAY’S PAPERS

BOTNETS

• Collection of compromised machines (bots)

under unified control of an attacker (botmaster)

• Method of compromise decoupled from

method of control

• Launch a worm/virus, etc.: remember,

payload is orthogonal!

• Upon infection, a new bot “phones home”

to rendezvous with botnet “command-and- control” (C&C)

• Botmaster uses C&C to push out

commands and updates

BOTNETS

• Collection of compromised machines (bots)

under unified control of an attacker (botmaster)

• Method of compromise decoupled from

method of control

• Launch a worm/virus, etc.: remember,

payload is orthogonal!

• Upon infection, a new bot “phones home”

to rendezvous with botnet “command-and- control” (C&C)

• Botmaster uses C&C to push out

commands and updates

BOTNETS

• Collection of compromised machines (bots)

under unified control of an attacker (botmaster)

• Method of compromise decoupled from

method of control

• Launch a worm/virus, etc.: remember,

payload is orthogonal!

• Upon infection, a new bot “phones home”

to rendezvous with botnet “command-and- control” (C&C)

• Botmaster uses C&C to push out

commands and updates

C&C

BOTNETS

• Collection of compromised machines (bots)

under unified control of an attacker (botmaster)

• Method of compromise decoupled from

method of control

• Launch a worm/virus, etc.: remember,

payload is orthogonal!

• Upon infection, a new bot “phones home”

to rendezvous with botnet “command-and- control” (C&C)

• Botmaster uses C&C to push out

commands and updates

C&C

BOTNETS

• Collection of compromised machines (bots)

under unified control of an attacker (botmaster)

• Method of compromise decoupled from

method of control

• Launch a worm/virus, etc.: remember,

payload is orthogonal!

• Upon infection, a new bot “phones home”

to rendezvous with botnet “command-and- control” (C&C)

• Botmaster uses C&C to push out

commands and updates

C&C

Topology can be star (like this), hierarchical, peer-to-peer…

TORPIG

DOMAIN FLUXING

How do these bots
 know where to go? Issue DNS lookups
 for a known hostname Provides a level of indirection:
 Bots know the name ahead of time,
 but the botmaster can move the C&C
 node to different IP addresses, as needed Problem:
 Network operators will simply firewall
 a known-malicious domain name Domain fluxing:
 Generate random domain names.
 Move on by the time you’re found

YOUR BOTNET IS MY BOTNET

Domain fluxing:
 Generate random domain names.
 Move on by the time you’re found (This) Botnet takeover:
 Anticipate the domain names;
 register those not yet purchased

YOUR BOTNET IS MY BOTNET

Domain fluxing:
 Generate random domain names.
 Move on by the time you’re found (This) Botnet takeover:
 Anticipate the domain names;
 register those not yet purchased Keep in touch with bots,
 but never send a new config file Worked with ISPs and law
 enforcement to take them down

ETHICAL CONCERN: DO NO HARM

WHAT DID THEY LEARN?

70GB over 10 days

BOTNET SIZE: HOW TO COUNT?

BOTNET SIZE: HOW TO COUNT?

BOTNET SIZE: HOW TO COUNT?

IP ADDRESSES ARE POOR IDENTIFIERS

NAT boxes:
 Small set of public IP addresses (typically one),
 Large set of private IP addresses (many) Carrier-grade NATs (CGNATS):
 NATs at a regional/national level
 A single host can have a different IP address for each connection “The trouble with Tor”
 Tor exit nodes also NAT
 Destinations cannot (based on IP addr)distinguish between the exit
 node’s traffic and Tor clients’ traffic Cloudflare shows Tor users
 captchas to differentiate